Topics In Information Security - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Topics In Information Security

Description:

Run A5/2 for 99 cycles. Run A5/2 for 228 cycles and use the output as keystream. ... C = M xor k (k is the keystream) H (C xor g) = H (M xor k xor g) ... – PowerPoint PPT presentation

Number of Views:7079
Avg rating:5.0/5.0

less

Transcript and Presenter's Notes

Title: Topics In Information Security


1
Topics In Information Security
  • Instant Ciphertext-Only Cryptanalysis of GSM
    Encrypted Communication

Elad Barkan Eli Biham Nathan Keller
Presented by Idan Sheetrit idanshee_at_post.tau.ac.i
l
2
Introduction
  • GSM is the most widely used cellular system in
    the world (over a billion customers).
  • Based on second generation cellular technology
    (offer digitalized voice).
  • GSM was the first cellular system which seriously
    considered security threats.
  • GSM was influenced by the political atmosphere
    around cryptology at the 1980s (did not allow
    civilians to use strong cryptography).
  • Protect only the air interface.

3
GSM structure
MSC
BSC
ISDN/ PSTN
Modem/ TA
Internet
BSC - Base Station Controller BTS - Base
Transceiver Station MSC - Mobile Switching
Center AuC - Authentication Centre TA - Terminal
Adapter
4
GSM Security
Mobile Station
Radio Link
GSM Operator
SIM
Ki
Ki
  • Ki pre-shared secret
  • A3,A8 One way functions.
  • A5/0 no encryption. A5/1 export restricted.
    A5/2 for export (weaker)

5
Description of A5/2
The key setup of A5/2
6
Description of A5/2 (2)
  • First initialize A5/2 with Kc and f.
  • Run A5/2 for 99 cycles
  • Run A5/2 for 228 cycles and use the output as
    keystream.
  • First 114 bits is used as a keystream to encrypt
    the downlink and the second half of 114 bits is
    used for the uplink.

7
Previous work
  • A5/1 and A5/2 was reversed engineered
  • Several Known-plaintext attacks were published
  • The best attack requires only four plaintext data
    frames.

8
Ciphertext-Only Attack on A5/2
  • GSM must use error correction to withstand
    reception errors.
  • During transmission a message is first subjected
    to an error-correction code, Then encrypted.
  • Structured redundancy in the message, Can be used
    for ciphertext-only attack.

9
Ciphertext-Only Attack on A5/2
  • Coding and interleaving operations can be modeled
    as a multipication of the message by constant
    matrix.
  • P - 184 bit message
  • G constant 456x184 matrix over GF(2)
  • g constant vector
  • M (G P) xor g (divided into 4 data frames)
  • G is binary matrix so there are 456-184272
    equations that describe the kernel of the inverse
    transformation.
  • H the matrix that describes these 272 equations
    i.e. H(M xor g) 0

10
Ciphertext-Only Attack on A5/2
  • C M xor k (k is the keystream)
  • H(C xor g) H(M xor k xor g) H(M xor g)
    xor Hk 0 xor Hk Hk
  • C known, so we have linear equations over the
    bits of k.

11
GSM Service Request and Authentication Protocol
Service Req
Ack (Use A5/1)
Authentication Data Request
RAND, XRES, Kc
AUTHREQ(RAND)
SRES XRES?
AUTHREQ(SRES)
Cipher
12
Class-Mark Attack
  • An attacker can change the class-mark
    information that the phone sends to the network.

Network
Service Req (A5/1)
Service Req (A5/2)
Use A5/2
  • The signal of the attacker must override the
    phone signal or by man-in-the-middle attack.

13
Recovering Kc of Past or Future Conversations
  • The protocol doesnt provide any key separation
    (all encryption algorithms use the same key)
  • An attacker can use a fake base station and
    instruct the phone to use A5/2 and then easily
    resolve Kc (Future Conversation Attack).
  • If an attacker recorded the conversation he can
    sends the recorded RAND to the phone.

RAND
  • If the attacker has access to the sim he can
    easily get Kc.

RES
  • If he doesnt he can instruct the phone to use
    A5/2.

Use A5/2
Cipher (A5/2)
14
Man in the middle attack
RAND
RAND
RES
CIPHMODCMDA5/2
CIPHMODCMD (Encrypted)
RES
CIPHMODCMDA5/1
CIPHMODCMD (Encrypted)
15
Attacks Scenarios
  • Call Wire-Tapping
  • Call Hijacking
  • Alerting of Data Messages (SMS)
  • Call Theft Dynamic Cloning

16
Protocol Weakness
  • Authentication protocol can execute at the
    beginning of the call. The phone cannot ask for
    authentication. In case that there is no
    authentication Kc stays as in previous
    conversation
  • The network chooses the encryption algorithm (the
    phone only reports the ciphers it support)
  • The class-mark message is not protected.
  • There is no mechanism that authenticates the
    network to the phone
  • No key separation between the algorithms or
    method of communication
  • RAND reuse is allowed

17
Acquire a Specific Victim
  • GSM includes a mechanism that is intended to
    provide protection on the identity of the mobile
    phone.
  • Each subscriber is allocated a Temporary Mobile
    Subscriber Identity (TMSI) over an encrypted link
  • The TMSI can be reallocated every once in a while
    in particular when there is a change in the
    location.
  • TMSI used to page on incoming calls and for
    identification during un-encrypted parts.
  • The fixed identification of the subscriber is its
    International Mobile Subscriber Identity (IMSI)
  • If both TMSI and IMSI are unknown to the attacker
    he may forced to listen in to all the
    conversations in the area.

18
Acquire a Specific Victim (2)
  • The attacker has the victim's phone number and
    wish to associate it with the subscriber's IMSI
    or TMSI.
  • Solutions
  • Can call the victim, and monitor all the calls
    (recognize his own caller ID).
  • Send a malformed SMS message.
  • When performing an active attack, the attacker
    needs to lure the mobile into his own fake base
    station.

19
GSM-Security
  • Cryptographic methods secret, not well examined
  • Symmetric procedure
  • consequence storage of user special secret keys
    with net operators required
  • No end-to-end encryption
  • Key generation and administration not controlled
    by the participants
  • Same key uses for A5/1 and A5/2.
  • No mutual authentication intended
  • consequence Attacker can pretend a GSM-Net
  • No end-to-end authentication
  • As a result of the initial publication of this
    paper GSM security group are working to remove
    A5/2 from the handsets.

20
Thank you
21
Homework
  • Define in one line the following GSM, UMTS,
    DECT, TETRA, ERMES.
  • Why using a SIM helps security?
  • How would you attack someones GSM mobile phone?
    describe the system and the steps on the attack.
  • Describe at least 3 known weaknesses of GSM and
    how you can fix them if you could change the
    standard or the system.
  • Bonus Describe a new attack (which isn't
    mentioned in the paper) on GSM network.

E-Mail idanshee_at_post.tau.ac.il
22
GSM structure
Fixed network
Switching Subsystems
Radio Subsystems
OMC
Data networks
VLR
HLR
AuC
EIR
(G)MSC
BTS
BSC
PSTN/ ISDN
BTS
BSS
MS
MS Mobile Station (G)MSC (Gateway) Mobile
Switching Centre OMC Operation and Maintenance
Centre PSTN Public Switched Telephone
Network VLR Visitor Location Register ISDN Integra
ted Services Digital Network
AuC Authentication Centre BSS Base Station
Subsystem BSC Base Station Controller BTS Base
Transceiver Station EIR Equipment Identity
Register HLR Home Location Register
23
GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(1) Call from fixed network was switched via GMSC
(2) GMSC finds out HLR from phone number and
transmits need of conversation (3) HLR checks
whether participant for a corresponding service
is authorized and asks for MSRN at the
responsible VLR (4) MSRN will be returned to
GMSC, can now contact responsible MSC
24
GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(5) GMSC transmits call to current MSC (6) ask
for the state of the mobile station (7)
Information whether end terminal is active (8)
Call to all cells of the Location Area (LA) (9)
Answer from end terminal (10 - 12) security check
and connection construction
25
GSM protocols, outgoing call
(1) Demand on connection (2) Transfer by
BSS (3-4) Control for authorization (5) Switching
of the call demand to fixed net
26
Protocol
Write a Comment
User Comments (0)
About PowerShow.com